b'              U.S. Department of Energy\n              Office of Inspector General\n              Office of Audit Services\n\n\n\n\nAudit Report\n Personnel Security Clearances and\n Badge Access Controls at Selected\n Field Locations\n\n\n\n\nDOE/IG\xe2\x80\x930582                                 January 2003\n\x0c\x0c\x0cPERSONNEL SECURITY CLEARANCES AND BADGE ACCESS\nCONTROLS AT SELECTED FIELD LOCATIONS\n\nTABLE OF\nCONTENTS\n\n\n\n              Site Management of Badge Recovery and Clearance Termination\n\n              Details of Finding ....................................................................... 1\n\n              Recommendations ..................................................................... 4\n\n              Comments .................................................................................. 5\n\n\n              Appendices\n\n              1. Management Comments ....................................................... 6\n\n              2. Objective, Scope and Methodology .................................... 11\n\n              3. Prior Reports ....................................................................... 13\n\x0cSITE MANAGEMENT OF BADGE RECOVERY AND CLEARANCE\nTERMINATION\n\nPotential Access by   At each of the four locations we visited \xe2\x80\x93 the Oak Ridge Reservation\nFormer Non-Federal    (Oak Ridge), the Savannah River Site (Savannah River), and the Sandia\nWorkforce             and Los Alamos National Laboratories (Sandia and Los Alamos) \xe2\x80\x93 we\n                      selected random samples of contractor and other non-federal workers to\n                      determine whether badges had been recovered when the workers\n                      terminated their association with the Department. Although there were\n                      some discrepancies at three of the four locations, only at Oak Ridge was\n                      the number of discrepancies significant.\n\n                      Department directives require security badges to be surrendered to a\n                      badging office when individuals terminate their association with the\n                      Department. Once returned, issuing organizations are required to\n                      physically destroy the badge and update the tracking system to revoke\n                      the individual\'s authority to possess a badge. Badges remain the\n                      property of the Government and must be surrendered whenever an\n                      individual is transferred, terminates employment or association, or\n                      when no longer required.\n\n                      At Oak Ridge, 26 of the 309 records sampled indicated that former\n                      workers retained badge authority. The badge system showed that three\n                      of these individuals were entitled to Q or L badges that would have\n                      allowed them, at least theoretically, to inappropriately access restricted\n                      areas or classified information. In another case, a former Oak Ridge\n                      worker retained authority for a badge even though his employment\n                      terminated almost 4 years earlier.\n\n                      After we pointed out these discrepancies to security officials, they told\n                      us that they canceled all of the outstanding authorizations and were able\n                      to physically recover 6 of the 26 badges (including a Q and an L badge)\n                      from the individuals who had terminated their association with the\n                      Department. They also indicated that 15 of these individuals could not\n                      be located so their badges could not be recovered. Officials discovered\n                      that the remaining five individuals were re-hired after our test work.\n\n                      The numbers of discrepancies at the other sites were not as significant.\n                      At Sandia in Albuquerque, New Mexico, we noted that 3 of the 416\n                      individuals in our sample retained security badge authority. Site\n                      officials indicated that they were able to recover all of these badges\n                      from the individuals we identified. At Savannah River, we found only\n                      2 of 280 records that resulted in exceptions, while at Los Alamos, there\n                      were none.\n\n\n\n\nPage 1                                                                      Details of Finding\n\x0c         It is important to note that at Oak Ridge, as is the case with most\n         Department sites, a person who is inappropriately listed as an active\n         employee in the local badge system can gain access to the site by\n         presenting another form of identification. As we have noted in a\n         number of reports in this area (Appendix 2), unauthorized individuals\n         could gain access to the Department\'s facilities and engage in malicious\n         acts. The potential for transfer, conversion, or counterfeit of badges\n         based on those improperly retained also increases the risk of harm.\n\n                                    Termination of Clearances\n\n         We also reviewed random samples of non-federal workers to determine\n         whether the four sites had canceled security clearances1 in the Central\n         Personnel Clearance Index (CPCI) when the workers terminated their\n         association with the Department. While we found discrepancies in the\n         CPCI records at all four locations, the error rates were most significant\n         at Savannah River and Sandia.\n\n         When a security clearance is no longer needed, a Termination\n         Statement must be submitted to a Department personnel security office\n         at the site. Site officials told us that, based on receipt of the\n         Termination Statement, federal officials update the individual\'s\n         personnel security file and record the date that access authorization was\n         terminated. These officials also update the CPCI, the official\n         Department repository where all clearance data are maintained.\n         Maintaining accurate information in the CPCI is critical because\n         security officials may use it to verify clearance levels and issue badges\n         to visitors.\n\n         At Savannah River and Sandia, error rates in the CPCI were\n         approximately 19 percent and 13 percent, respectively. At Savannah\n         River, 34 of 177 individuals improperly retained the authority to hold\n         clearances. While 18 of these errors appeared to have been caused by\n         the failure of Federal officials to update the CPCI, 16 of the personnel\n         security files did not contain Termination Statements, which indicates\n         that the contractor had not taken action to initiate the termination\n         process. Two individuals retained Q clearances even though their\n         associations had ended more than 10 years earlier. Similarly, at Sandia\n         14 of 108 individuals inappropriately maintained active clearances. For\n         example, one student held an L clearance even though the assignment\n         was terminated in September 1997. Only 2 of the 14 personnel security\n         files contained evidence that the termination process had been initiated.\n\n         1"\n          Security clearance" and its variations mean "access authorization" as defined in Title\n         10, Code of Federal Regulations, Part 710 and DOE Order 472.1B.\n\nPage 2                                                                   Details of Finding\n\x0c                        The error rates at Oak Ridge and Los Alamos were not as significant.\n                        At Oak Ridge we found 15 individuals that had active clearances in the\n                        CPCI, which represented about 6 percent of the random sample. At Los\n                        Alamos, only two individuals maintained active status, representing less\n                        than 1 percent of the sample. While these clearances remained active in\n                        the CPCI, we noted that personnel security files for these individuals\n                        contained properly completed Termination Statements.\n\n                        This breakdown of controls over clearance terminations could allow\n                        unauthorized access to information and facilities. Officials from\n                        Headquarters Personnel Security indicated that unauthorized\n                        individuals could gain access to headquarters\' facilities if their\n                        clearances were not properly terminated in the CPCI system and a third\n                        party verified their visit. Thus, the information in the CPCI is a critical\n                        part of the control structure for preventing access by unauthorized\n                        individuals, and identified weaknesses in the system reduce its\n                        effectiveness as a security layer.\n\nBadging and Clearance   Site-level badge recovery and clearance termination processes were\nControls                inefficient and suffered from a number of control weaknesses.\n                        Contractor officials told us that they were not always provided with exit\n                        or termination information. Additionally, some sites relied on faxes or\n                        hand-delivery of employment or clearance termination information that\n                        was not always effective. For example, while Sandia officials had\n                        evidence that they had faxed seven clearance termination statements,\n                        the Albuquerque Personnel Security Office had no record of receipt and\n                        did not terminate the clearances in the CPCI system. Savannah River\n                        used a "hand carry" system to provide clearance termination\n                        notifications but did not require acknowledgement of receipt. Site\n                        badge officials also told us that they did not always follow up with\n                        Department personnel security offices to ensure that the termination\n                        information was received and that updates were properly made in the\n                        CPCI system.\n\n                        We also observed that sites did not employ a comprehensive\n                        reconciliation process to identify individuals that no longer required\n                        badges or clearances. For example, while reconciliations between the\n                        CPCI and local badge systems took place, comparisons of human\n                        resource information to clearance or badge systems were not always\n                        performed.\n\n\n\n\nPage 3                                                                         Details of Finding\n\x0c                          Failure to promptly terminate clearances and recover badges increases\n                          the risk of malicious damage or unauthorized access to Department\n                          assets and potentially endangers Department workers. Current\n                          processes do not ensure that authorizations are promptly removed from\nInformation, Property,    systems and could permit those who improperly retained a clearance or\nand Individuals at Risk   badge with a window of opportunity to enter or access sites without\n                          authority. Therefore, the possibility exists that disgruntled or disloyal\n                          former workers could gain access with the intent to disrupt operations,\n                          obtain information, or cause harm to Department property or\n                          employees. If security controls are not rigorously enforced, national\n                          security information, various types of classified and unclassified\n                          property, and the security of Department workers are at risk.\n\n                          To improve controls over clearance terminations and badge recovery,\n                          we recommend that the Assistant Secretary for Environmental\n                          Management, the Director, Office of Science, and the Associate\n                          Administrator for Facilities and Operations, National Nuclear Security\nRECOMMENDATIONS           Administration should, in conjunction with the Office of Security:\n\n                          1. Enhance controls to ensure that badges are recovered and that\n                             clearances are appropriately terminated when no longer needed. At\n                             a minimum:\n\n                             a. Establish requirements and associated incentives for sub or\n                                lower tier contractors to promptly recover badges and initiate\n                                action to terminate unneeded clearances.\n\n                             b. Require personnel security offices to acknowledge receipt of\n                                termination notifications, and require site badging officials to\n                                ensure that updates have been entered in the CPCI system.\n\n                          2. Develop procedures to ensure consistency between the site systems\n                             that track security badges and the CPCI. At a minimum, require site\n                             badging officials to periodically reconcile human resources data to\n                             the local badge system and the Department\'s CPCI system.\n\n                          3. Evaluate and correct, as necessary, information in both the CPCI\n                             and the badge systems to ensure that only currently employed\n                             individuals hold active clearance and badge status.\n\n                          NNSA concurred with the recommendations and planned to take\n                          corrective actions to address the conditions cited in this report. While\n                          the Offices of Environmental Management and Science did not\n                          specifically concur with the recommendations, they took corrective\n\n\nPage 4                                                                        Recommendations\n\x0cMANAGEMENT REACTION   actions that were responsive to the recommendations. In addition, we\n                      provided clarifying information and made adjustments to the report to\n                      address specific management comments. After completion of these\n                      technical adjustments, the Office of Security informed us that it\n                      generally concurred with our findings and recommendations.\n\n                      In commenting on the draft report, the Office of Science commented on\n                      Recommendation 1 and indicated that the establishment of\n                      requirements and incentives for badge recovery and clearance\n                      termination may not be necessary because an existing Departmental\n                      Order and Manual already establish requirements. The Office of\n                      Science also indicated that the draft report implied an overly simplified\n                      correlation between unauthorized access to security areas and access to\n                      classified matter.\n\n\n                      With respect to the Office of Science comments, we recognize that a\n                      DOE Order and Manual establishing such requirements were in place\n                      during our fieldwork. However, Recommendation 1 is directed at\n                      establishing controls at the site level to ensure that Departmental\nAUDITOR COMMENTS      requirements such as DOE Orders and Manuals are implemented.\n                      Additionally, DOE Manual 5632.1C-1 applicable to the recovery of\n                      badges was recently cancelled and replaced with DOE Manual 473.1-1,\n                      which exempts sites using Office of Science badges from Department\n                      security badge requirements. Accordingly, it is important for these\n                      Office of Science sites to establish both requirements for recovering\n                      badges and terminating clearances, as well as controls to ensure that\n                      such requirements are implemented.\n\n                      Regarding the Office of Science contention that the report presented an\n                      overly simplified correlation between unauthorized access to security\n                      areas and access to classified matter, we acknowledge that a valid need-\n                      to-know is necessary before access to classified matter can be granted.\n                      However, the information in the report points out that a weakness in\n                      any layer of security can reduce the overall effectiveness of controls\n                      established to prevent unauthorized access.\n\n\n\n\nPage 5                                                                             Comments\n\x0cAppendix 1\n\n\n\n\nPage 6       Management Comments\n\x0cAppendix 1 (continued)\n\n\n\n\nPage 7                   Management Comments\n\x0cAppendix 1 (continued)\n\n\n\n\nPage 8                   Management Comments\n\x0cAppendix 1 (continued)\n\n\n\n\nPage 9                   Management Comments\n\x0cAppendix 1 (continued)\n\n\n\n\nPage 10                  Management Comments\n\x0cAppendix 2\n\nOBJECTIVE     To determine whether the Department was recovering security badges\n              and terminating unneeded clearances when non-federal employees\n              terminate employment.\n\n\nSCOPE         The audit was performed from April through August 2002 at the Oak\n              Ridge National Laboratory, East Tennessee Technology Park, and Y-12\n              Plant in Oak Ridge, Tennessee. We also performed work at the\n              Savannah River Site near Aiken, South Carolina; at Sandia National\n              Laboratory in Albuquerque, New Mexico; and at Los Alamos National\n              Laboratory in Los Alamos, New Mexico. Our test work consisted of\n              random sampling of universes from site badge and human resources\n              systems, using the Headquarters Central Personnel Clearance Index as\n              of April 15, 2002, as a reference.\n\n\nMETHODOLOGY   To accomplish the audit objective, we:\n\n                 \xe2\x80\xa2   Obtained data files of active badges from site badge systems and\n                     active clearances from the CPCI system at Headquarters;\n\n                 \xe2\x80\xa2   Used Army Audit Agency statistical sampling packages in\n                     Audit Command Language (ACL) to determine sample sizes\n                     and to select sample items;\n\n                 \xe2\x80\xa2   Tested random samples of individuals in site badging systems to\n                     determine whether they were still employed;\n\n                 \xe2\x80\xa2   Used ACL to compare information on all individuals with a\n                     security clearance in site badge systems to information in the\n                     CPCI. We also compared all individuals in the CPCI to\n                     information in site badge systems. These tests identified\n                     individuals terminated in one system but not the other;\n\n                 \xe2\x80\xa2   Selected and tested random samples of individuals from both\n                     contractor and sub-contractor human resource listings of\n                     employee terminations to determine whether they still had an\n                     active clearance in the CPCI or an active badge in the site badge\n                     system;\n\n\n\n\nPage 11                                       Objective, Scope, and Methodology\n\x0cAppendix 2 (continued)\n\n                         \xe2\x80\xa2   Spoke with representatives of sponsoring organizations or\n                             company officials to determine whether individuals were still\n                             employed;\n\n                         \xe2\x80\xa2   Provided site officials the opportunity to verify the\n                             discrepancies we discovered through our sampling process; and,\n\n                         \xe2\x80\xa2   Confirmed with site badge personnel whether badges were\n                             actually recovered.\n\n\n                     The audit was conducted in accordance with generally accepted\n                     Government auditing standards for performance audits and included\n                     tests of internal controls and compliance with laws and regulations to\n                     the extent necessary to satisfy the audit objective. Because our review\n                     was limited, it would not necessarily have disclosed all internal control\n                     deficiencies that may have existed at the time of our audit. Because of\n                     problems with data inputs, we questioned the validity of computer-\n                     processed data.\n\n                     We assessed the Department\'s compliance with the Government\n                     Performance and Results Act of 1993. The Department\'s Annual\n                     Performance Plan for Fiscal Year 2002 did not contain specific\n                     performance data addressing security activities to prevent unauthorized\n                     access. However, the Department\'s Annual Performance Plan for Fiscal\n                     Year 2003 does include more specific performance goals, targets, and\n                     program funding descriptions that do address the commitment to protect\n                     classified information and assets and prevent unauthorized access.\n                     Management waived the exit conference.\n\n\n\n\nPage 12                                               Objective, Scope, and Methodology\n\x0cAppendix 3\n                                          PRIOR REPORTS\n\n\n OFFICE OF INSPECTOR GENERAL REPORTS\n\n\n \xe2\x80\xa2   Personnel Security Clearances and Badge Access Controls at Department Headquarters, (DOE/\n     IG-0548, March 2002). Unauthorized individuals could have gained access to Department\n     Headquarters. Of 147 Federal and contractor employee records selected for review, the audit found\n     that in 9 cases the Department had either not terminated the employees\' clearances or had not\n     recovered their badges. Errors occurred because program offices had not always provided\n     employment termination information to security operations personnel or held contractors\n     accountable for adherence to Departmental policy.\n\n \xe2\x80\xa2   The U.S. Department of Energy\'s Audit Follow-up Process, (DOE/IG-0447, July 1999). By\n     eliminating the blanket clearance polices and closely monitoring individual clearance requests, the\n     number and level of security clearances dropped substantially. Decreases in employment levels\n     also contributed to the drop. However, the Department had limited success in addressing clearance\n     processing and reinvestigations problems.\n\n\n GENERAL ACCOUNTING OFFICE (GAO) REVIEWS\n\n\n \xe2\x80\xa2   Review of DOE\xe2\x80\x99s Personnel Security Clearances Program, (DOE/IG-0323, March 1993). The\n     Department issued unnecessary clearances, clearances at a level higher than necessary, and had not\n     terminated clearances that were no longer needed. Throughout the Department, processing of\n     initial clearances was slow and numerous reinvestigation backlogs occurred. This occurred because\n     field offices did not comply with regulations and procedures for clearance terminations,\n     justifications, and recertifications. It was recommended that blanket clearances be discontinued, a\n     critical review of clearance justifications be performed, numbers and levels of clearances be\n     reduced, standards be developed for cases containing derogatory information, and cases adjudicated\n     within 90 days.\n\n \xe2\x80\xa2   Key Factors Underlying Security Problems at DOE Facilities, (GAO/T-RCED-99-159, April 20,\n     1999). The U.S. General Accounting Office (GAO) has performed numerous reviews of security\n     that show weaknesses dating back to the early 1980s. GAO found problems with long delays in\n     conducting security investigations; the Department\xe2\x80\x99s security clearance database was incorrect;\n     individuals with clearances that should have been terminated; and individuals with badges but\n     without active clearances.\n\n\n\n\nPage 13                                                                                     Prior Reports\n\x0c                                                                              IG Report No.: DOE/IG-0582\n\n                                    CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its products. We\nwish to make our reports as responsive as possible to our customers\' requirements, and, therefore, ask that\nyou consider sharing your thoughts with us. On the back of this form, you may suggest improvements to\nenhance the effectiveness of future reports. Please include answers to the following questions if they are\napplicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or procedures of the\n   audit would have been helpful to the reader in understanding this report?\n\n2. What additional information related to findings and recommendations could have been included in this\n   report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall message more\n   clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues discussed in this\n   report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we have any questions\nabout your comments.\n\nName _____________________________             Date __________________________\n\nTelephone _________________________            Organization ____________________\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at (202) 586-\n0948, or you may mail it to:\n\n                                     Office of Inspector General (IG-1)\n                                           Department of Energy\n                                          Washington, DC 20585\n\n                                        ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of Inspector General,\nplease contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                            following address:\n\n\n                  U.S. Department of Energy, Office of Inspector General, Home Page\n                                       http://www.ig.doe.gov\n\n                    Your comments would be appreciated and can be provided on the\n                           Customer Response Form attached to the report.\n\x0c'